WGU D430: Fundamentals of Information Security – Risk
Management, Compliance & Cryptography Study Course
Review Questions and answers updated 2026
Vulnerabilities - correct answer weaknesses or holes of an asset that threats can
exploit to cause harm.
Ex; could be an operating system, the physical location of a building, servers generating
more heat that the air-conditioning can handle, etc..
Risk - correct answer the likelihood that something bad will happen because of the
potential for a threat to exploit a vulnerability.
M; pinpoint the high likelihood of THESE and spend your time mitigating these more
likely attacks instead of spreading your time evenly with less likely attacks.
Impact - correct answer THIS takes into account the value of the asset being
threatened and uses it to calculate risk.
Ex; if the asset is your journal, you can say there is no risk. If the asset is your bank
account information, you can say the risk is very high.
M; the US national security agency (NSA) added THIS factor to the
threat/vulnerability/risk equation.
Risk management process - correct answer identify assets > identify threats > assess
vulnerabilities > assess risks > mitigate risks.
Identify important assets, figure potential threats against them, assess vulnerabilities,
then take steps to mitigate these risks.
,Identify assets (risk management process) - correct answer THIS is one of the first and
most important parts of risk management. If you can't identify the impact, then
protection becomes a difficult task.
Ex; acquisition of another company leads to THIS possibly being required to keep the
business functional.
Identify threats (risk management process) - correct answer once the impact of assets
are assessed, THIS is required to see how potential attacks might affect the assets.
M; being concerned with losing control of data, maintaining accurate data, and keeping
the system up and running allows you to be able to look at areas of vulnerability and
potential risk.
Assess vulnerabilities (risk management process) - correct answer assets can have
millions of threats, but only a fraction will be relevant; THIS is done to see if those
relevant threats pose a risk.
Ex; if data is exposed, it could lead to a breach. If your data is encrypted, this is not a
risk.
Ex; if the system goes down, business operations will also go down, this is a risk.
Assess risks (risk management process) - correct answer once the threats and
vulnerabilities are identified, THIS is done to have an overall idea of the risk so you can
start to mitigate them.
M; a vulnerability with no matching threat or a threat with no matching vulnerability does
not constitute a risk.
Mitigate risks (risk management process) - correct answer THIS is putting measures
(called controls) in place to account for each threat. There are three categories of
control: physical, logical, and administrative.
,Physical controls/measures (mitigate risks) - correct answer THIS protects the physical
environment in which your systems sit or where your data is stored. Also controls
access of such environments.
Ex; includes fences, gates, locks, bollards, guards, and cameras, but also systems that
maintain the physical environment, such as heating and air-conditioning systems, fire
suppression systems, and backup power generators.
M; one of the most critical controls. Makes other controls useless if an attacker has
direct access to your system.
Logical (or technical) controls/measures (mitigate risks) - correct answer THIS protects
the systems, networks, and environments that process, transmit, and store your data.
Ex; THIS can be things such as passwords, encryption, access controls, firewalls, and
intrusion detection systems.
M; enables the prevention of unauthorized activities unless the attacker is able to
subvert the controls.
Administrative controls/measures (mitigate risks) - correct answer THIS dictates how
the users of your environment should behave; the rules, laws, policies, procedures,
guidelines, and other items that are "paper" in nature.
M; an important aspect of THIS is the ability to enforce it. Can cause threats and
vulnerabilities if left unchecked.
Incident response - correct answer something to be done in the event of an attack and
should be directed in a way that is based on the impact the attack has towards the
organization.
, M; steps in THIS process: preparation, detection and analysis, containment, eradication,
recovery, post-incident activity.
Preparation (incident response) - correct answer the phase where things are done
before an incident occurs.
Ex; policies and procedures that govern incident response and handling, conducting
training for the response team and those who report incidents, and developing and
maintaining documentation.
M; decisions should already be made regarding what needs to be done, who needs to
do it, and how to do it.
Detection and analysis (incident response) - correct answer the phase where issues
are detected, a decision is made whether it's actually an incident, and the appropriate
response to it. The second part of this requires human judgement and decision making.
M; usually detected with a security tool or service such as an intrusion detection system
(IDS), antivirus (AV) software, firewall logs, proxy logs, or alerts from a security
information and event monitoring (SIEM) tool or managed security service provider
(MSSP).
Containment (incident response) - correct answer THIS involves stopping an incident
from doing anymore damage or at least to lessen any ongoing harm.
Ex; if malware-infected by a remote attacker, this might involve disconnection, blocking
with a firewall, and updating signatures or rules on an intrusion prevention system (IPS)
to halt the malware traffic.
Eradication (incident response) - correct answer THIS involves attempting to remove
the effects of the issue from your environment.
Management, Compliance & Cryptography Study Course
Review Questions and answers updated 2026
Vulnerabilities - correct answer weaknesses or holes of an asset that threats can
exploit to cause harm.
Ex; could be an operating system, the physical location of a building, servers generating
more heat that the air-conditioning can handle, etc..
Risk - correct answer the likelihood that something bad will happen because of the
potential for a threat to exploit a vulnerability.
M; pinpoint the high likelihood of THESE and spend your time mitigating these more
likely attacks instead of spreading your time evenly with less likely attacks.
Impact - correct answer THIS takes into account the value of the asset being
threatened and uses it to calculate risk.
Ex; if the asset is your journal, you can say there is no risk. If the asset is your bank
account information, you can say the risk is very high.
M; the US national security agency (NSA) added THIS factor to the
threat/vulnerability/risk equation.
Risk management process - correct answer identify assets > identify threats > assess
vulnerabilities > assess risks > mitigate risks.
Identify important assets, figure potential threats against them, assess vulnerabilities,
then take steps to mitigate these risks.
,Identify assets (risk management process) - correct answer THIS is one of the first and
most important parts of risk management. If you can't identify the impact, then
protection becomes a difficult task.
Ex; acquisition of another company leads to THIS possibly being required to keep the
business functional.
Identify threats (risk management process) - correct answer once the impact of assets
are assessed, THIS is required to see how potential attacks might affect the assets.
M; being concerned with losing control of data, maintaining accurate data, and keeping
the system up and running allows you to be able to look at areas of vulnerability and
potential risk.
Assess vulnerabilities (risk management process) - correct answer assets can have
millions of threats, but only a fraction will be relevant; THIS is done to see if those
relevant threats pose a risk.
Ex; if data is exposed, it could lead to a breach. If your data is encrypted, this is not a
risk.
Ex; if the system goes down, business operations will also go down, this is a risk.
Assess risks (risk management process) - correct answer once the threats and
vulnerabilities are identified, THIS is done to have an overall idea of the risk so you can
start to mitigate them.
M; a vulnerability with no matching threat or a threat with no matching vulnerability does
not constitute a risk.
Mitigate risks (risk management process) - correct answer THIS is putting measures
(called controls) in place to account for each threat. There are three categories of
control: physical, logical, and administrative.
,Physical controls/measures (mitigate risks) - correct answer THIS protects the physical
environment in which your systems sit or where your data is stored. Also controls
access of such environments.
Ex; includes fences, gates, locks, bollards, guards, and cameras, but also systems that
maintain the physical environment, such as heating and air-conditioning systems, fire
suppression systems, and backup power generators.
M; one of the most critical controls. Makes other controls useless if an attacker has
direct access to your system.
Logical (or technical) controls/measures (mitigate risks) - correct answer THIS protects
the systems, networks, and environments that process, transmit, and store your data.
Ex; THIS can be things such as passwords, encryption, access controls, firewalls, and
intrusion detection systems.
M; enables the prevention of unauthorized activities unless the attacker is able to
subvert the controls.
Administrative controls/measures (mitigate risks) - correct answer THIS dictates how
the users of your environment should behave; the rules, laws, policies, procedures,
guidelines, and other items that are "paper" in nature.
M; an important aspect of THIS is the ability to enforce it. Can cause threats and
vulnerabilities if left unchecked.
Incident response - correct answer something to be done in the event of an attack and
should be directed in a way that is based on the impact the attack has towards the
organization.
, M; steps in THIS process: preparation, detection and analysis, containment, eradication,
recovery, post-incident activity.
Preparation (incident response) - correct answer the phase where things are done
before an incident occurs.
Ex; policies and procedures that govern incident response and handling, conducting
training for the response team and those who report incidents, and developing and
maintaining documentation.
M; decisions should already be made regarding what needs to be done, who needs to
do it, and how to do it.
Detection and analysis (incident response) - correct answer the phase where issues
are detected, a decision is made whether it's actually an incident, and the appropriate
response to it. The second part of this requires human judgement and decision making.
M; usually detected with a security tool or service such as an intrusion detection system
(IDS), antivirus (AV) software, firewall logs, proxy logs, or alerts from a security
information and event monitoring (SIEM) tool or managed security service provider
(MSSP).
Containment (incident response) - correct answer THIS involves stopping an incident
from doing anymore damage or at least to lessen any ongoing harm.
Ex; if malware-infected by a remote attacker, this might involve disconnection, blocking
with a firewall, and updating signatures or rules on an intrusion prevention system (IPS)
to halt the malware traffic.
Eradication (incident response) - correct answer THIS involves attempting to remove
the effects of the issue from your environment.
